Merlin Labs Memo -- Week of December 12-16
GoTrim Botnet Attack Targets WordPress Websites
An active bot-driven campaign that involves anti-bot evasion capabilities has been observed since September, scanning and leveraging brute-force techniques against websites using the WordPress content management system (CMS). The new campaign, named GoTrim, uses a bot network to “perform distributed brute-force attacks in an attempt to login to the targeted web server.” If a breach is successful, an operator is able to install a script in the host that deploys a "bot client" from a hard-coded URL. GoTrim cannot currently self-propagate, distribute additional malware or persist in the infected system – rather it receives commands that initiate the brute-force attacks against WordPress and OpenCart. The malware has some additional capabilities to maneuver around existing cybersecurity protocols in its attempt to successfully execute the brute-force attack. -- Via The Hacker News
Our Take: This type of attack, if successful, paves the way for malicious actors to access servers and begin a journey of lateral movement or escalate the nature of the attack to something far more nefarious and damaging. It opens the proverbial door to a network system and allows hackers to enter and roam about the IT house. Once in the house, the intruder is encumbered only by the cybersecurity controls and technologies that have been put in place throughout the system and are prepared to recognize and thwart further malicious “insider” behaviors. The good news is that brute-force attacks are largely preventable through user education paired with strong zero-trust and technology-enforced access control policies – including those for privileged accounts. Enabling phishing-resistant multi-factor authentication, requiring strong passwords or pass phrases, limiting the number of allowed login attempts, analyzing network traffic for anomalies, and leveraging automation to identify and block known and suspected malicious IP addresses are just a few of the important steps every cybersecurity team should take to protect themselves against this type of threat.?– Sarah Hensley, MS-SLP
Additional Reading:
5G Network Slicing and Security?
Let’s start with the positive: 5G network slicing is a very cool technology. It is a network as a service, combining infrastructure and security to improve efficiency and resiliency of 5G mobile networks. Once we get used to it, we won’t want to live in a world without it. Having said that, there are security concerns with the complexity of the new technology. Improper management, as with any tech, can expose vulnerabilities.
In the case of network slicing, which creates a logical network with per-user characteristics, made up of compute, storage, and infrastructure elements, a risk is that an improperly secured slice would allow for a user to escape it to attack other slices or the infrastructure itself. Another risk is that poor configuration leaves slices open to outside denial of service or attacker in the middle attacks. Given that network slicing administration is housed on cloud-based network function virtualization (NFV) platforms, the network slicing benefits from cloud scaling and optimization – and means it shares in existing cloud vulnerabilities. Cloud vulnerabilities usually arise out of misconfiguration, and I think we have a pattern here.
The new twist here is that the 5G networks are going to have LOTS of IoT devices on them for utilities, logistics, and “smart city” functions. Autonomous vehicles will also take advantage of 5G and network slicing for efficient operation. Breaking into these devices can allow for supply chain attacks, possibly allowing for hijacking of goods and services provided by network-attached devices.
Our take: Network slicing is fundamental to 5G operations, so the time is now to bake in zero-trust, post-quantum cryptography, and multi-factor authentication to these devices and the infrastructure that services them. We’ve got to have continual monitoring of the NFVs to make sure that the safe and compliant configuration we give them will stay that way. This is not something we leave just to the engineers putting it together: security needs to be proactive in getting its hands around 5G network slicing and making sure it’s built out properly. – Dean Webb
?Additional Reading:
领英推荐
Signed, Sealed, Delivered: Should you trust signed software and drivers?
Software vendors try to provide products that are verified and/or signed to help assure you that it is safe to use. Frequently, as was the case of Microsoft Defender, security products whitelist and allow signed software to pass though. But is this really safe? No.
The weak links in the story are developer accounts. Vendors rely on partners and developers to provide broader use and compatibility for their products. While this is useful, it can open the door to various malicious activities to take place if a developer account is compromised. In Defender's case, a compromised account was suspended but the software drivers were not. Being signed, they were still able to do their dirty work by injecting code into these drivers.
There was an update to fix this in Defender where they no longer trust suspended developer accounts' products to be whitelisted. Seems like this would have been a given, but trust in the modern cyber world is dangerous.
Our Take: As the saying goes, “Trust is earned.” In cybersecurity, however, that can no longer be the case. Instead, it should be, “Trust is NEVER implied.” There are no shortcuts to a good cybersecurity plan. Whitelisting can be a dangerous practice, especially regarding zero day threats. Everything needs to be always scrutinized. Potential bad actors' products need to be blocked upon discovery. – David Maphis
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!?
Co-Founder & CEO at Cyabra
2 年An absolute must that content. ????